• $150 – $3,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

27 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$858.33 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Octopus Deploy invites you to test and help secure our primary publicly facing assets - focusing first on our primary web application. We appreciate your efforts and hard work in making the internet (and Octopus Deploy) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program.

Good luck and happy hunting!

What you should know before you start

  • This program only focuses on our testing subdomain - bc.octopus.com - any testing activity in on https://octopus.com will be treated as malicious and blocked
  • Ensure that you use your @bugcrowdninja.com email address when you’re testing our assets, any use of other email addresses may be treated as malicious and blocked.
  • Ensure that you understand the targets, scopes, exclusions, and rules below. Please feel free to reach out and ask questions to clarify. We want you to feel as confident as possible.

Ratings / Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. Please see below for any deviations from the standard VRT.

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,100 - $3,000
p2 Severe $1,000 - $1,250
p3 Moderate $450 - $600
p4 Low $150 - $200
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags
bc.octopus.com Website Testing
  • Website Testing
  • Bootstrap
  • .NET
  • Microsoft IIS

Out of scope

Target name Type
octopus.com Website Testing
bc-account.octopus.com Website Testing
*.octopus.app Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Octopus not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target Info

we're in the process of moving testers from the old test*.octopus.com subdomains as we we're having issues with the user registrations, so please use the bc*.octopus.com instead - thanks!

Please note, that on occasion, this site may be unavailable either during deployment or routine maintenance, and we don’t treat these as high availability assets. Please be patient with us as these instances are updated as part of our delivery pipeline at random times.


Please sign up for an account using your @bugcrowdninja.com email address.
For more info regarding @bugcrowdninja email addresses, see here.

When getting started, click the sign in URL at https://bc.octopus.com/register?registerReturnUrl=%2Fsignin and register there.

Focus Areas

Ultimately, we want to allow our customers to have a safe environment to manage their accounts, access our documentation and manage their instances. Therefore, we're interested in traditional web application vulnerabilities, as well as other vulnerabilities that can have a direct impact to our customers. Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Out of Scope & other Exclusions

To be as clear as possible, the following are also out of scope for testing:

  • Our self-hosted Octopus Deploy product, including authentication and authorization plugins
  • Our cloud hosted Octopus Deploy product - heads up: we’re hoping to include this is in the future this means you won't be able to use the 'Create cloud instance' button - and will see an error in our test environment
  • Any of our closed or open source tooling, build chain, or public facing repositories, email and IM servers, social media accounts or 3rd party SaaS products that we use to deliver our services
  • Blind XSS must not return any user data that you do not have access to (e.g. Screen shots, cookies that aren't owned by you, etc); when testing for blind XSS, please use the least invasive test possible (e.g. calling 1x1 image or nonexistent page on your webserver, etc).
  • When testing, please exercise caution if injecting on any form that may be publicly visible - such as forums, etc. Before injection, please make sure your payload can be removed from the site. If it cannot be easily removed, please check with support@bugcrowd before performing the testing.
  • Pivoting and post exploitation attacks are fine particularly between test.octopus.com & test-account.octopus.com - so long as you aren’t attempting to destroy any infrastructure or data.
  • Any internal or development services
  • The use of Automated scanners is prohibited
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
    • CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Content Spoofing.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled.
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security.
    • X-Frame-Options.
    • X-XSS-Protection.
    • X-Content-Type-Options.
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
    • Content-Security-Policy-Report-Only.
    • Cache-Control and Pragma
  • SSL/TLS Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack.
    • SSL Forward secrecy not enabled.
    • SSL weak/insecure cipher suites.
  • No Load testing (DoS/DDoS etc) is allowed on the test websites.
  • Self-XSS reports will not be accepted.
    • Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
  • Vulnerabilities that are limited to old browsers - will not be accepted (i.e. "this exploit only works in IE6/IE7").
  • Known vulnerabilities in used libraries, (e.g. jQuery) - unless you can prove exploitability.
  • Missing or incorrect SPF records of any kind.
  • Missing or incorrect DMARC records of any kind.
  • Any kinds of source code disclosure.
  • Information disclosure of non-confidential information (e. g. issue id, project id).
  • Email bombing
  • Request flooding (e.g. pixel flooding - we consider this a DoS attempt)
  • Testing rate limits
  • Session cookies for https://bc-account.octopus.com will be valid for up to 10 minutes after logging out. Please do not report on any session fixation/management vulnerabilities unless you can show an account takeover after 10 minutes.

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Octopus not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Octopus org, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

Other Rules

  • You must ensure that customer data is not affected in any way as a result of your testing. Please ensure you're being non-destructive whilst testing.
  • In addition to the above, customer instances are not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or "verified")
  • If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.
  • Use of any automated vulnerability scanners is prohibited
  • Reports need to be submitted in plain text (associated pictures/videos are fine as long as they're in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text.
  • Grants/awards are at the discretion of Octopus Deploy and we withhold the right to grant, modify or deny grants.
  • Please no social engineering, phishing or unauthorized access to infrastructure.
  • Please don’t test the physical security of Octopus Deploy offices, employees, equipment, etc.
  • This bounty follows Bugcrowd’s standard disclosure terms.

Public Disclosure

Before disclosing an issue publicly we require that you first request permission from us. Octopus Deploy will process requests for public disclosure on a per report basis. Requests to publicly disclose an issue that has not yet been fixed for customers will be rejected.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.